General

  • Target

    2024-08-12_2fbe79a2d4b23c64c6dc0213491f26c9_mafia

  • Size

    14.0MB

  • Sample

    240812-w36d3stcmj

  • MD5

    2fbe79a2d4b23c64c6dc0213491f26c9

  • SHA1

    d0cdbd445c1833fdb35124c280d522c34d093bb3

  • SHA256

    1d57ced8656b69f8b333b0d53d3950fa5c44b2489d259040ed46d309338be96e

  • SHA512

    eac38effc4cc548938b97d94bee898461851967968705df6340dc8370685c2d5a24a9b41b1befae455f73ef8316030f91e6812cbd979f20317b2045f86e08340

  • SSDEEP

    6144:4+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:4+r1IeSXMXc7LlxWV4Ug97GZ+ej

Malware Config

Extracted

Family

tofsee

C2

43.231.4.7

lazystax.ru

Targets

    • Target

      2024-08-12_2fbe79a2d4b23c64c6dc0213491f26c9_mafia

    • Size

      14.0MB

    • MD5

      2fbe79a2d4b23c64c6dc0213491f26c9

    • SHA1

      d0cdbd445c1833fdb35124c280d522c34d093bb3

    • SHA256

      1d57ced8656b69f8b333b0d53d3950fa5c44b2489d259040ed46d309338be96e

    • SHA512

      eac38effc4cc548938b97d94bee898461851967968705df6340dc8370685c2d5a24a9b41b1befae455f73ef8316030f91e6812cbd979f20317b2045f86e08340

    • SSDEEP

      6144:4+rWO2zeSPDjMXMH7Ll4aFpWVqIwUAP97GEwHrG2+e1x2:4+r1IeSXMXc7LlxWV4Ug97GZ+ej

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks